On Mon, Jun 17, 2019 at 12:30:22PM +0000, Goeman, Stefan wrote: > Hello, > > Is it possible with the dogtag PKI to issue certificates have contain a CRL > Distribution Point certificate extension? > I would like to work with a CRL web server, instead of using OCSP. > > Much thanks in advance for your feedback! > > Greetings, > Stefan Goeman > Hi Stefan,
Yes, Dogtag supports CRL Distribution Point extension. Example profile configuration: policyset.serverCertSet.9.constraint.class_id=noConstraintImpl policyset.serverCertSet.9.constraint.name=No Constraint policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default policyset.serverCertSet.9.default.params.crlDistPointsCritical=false policyset.serverCertSet.9.default.params.crlDistPointsNum=1 policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://example.com/ipa/crl/MasterCRL.bin policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= Hope that helps! Fraser _______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
